I had success (gist)with ruby's String#crypt method from within a Puppet parser function.

我在 Puppet 解析器函数中使用 ruby​​ 的 String#crypt 方法取得了成功（要点）。

AFAICS it's using the crypt libc functions (see: info crypt), and takes the same arguments $n$[rounds=<m>$]salt, where n is the hashing function ($6 for SHA-512) and m is the number of key strengthening rounds (5000 by default).

AFAICS 它使用 crypt libc 函数（参见：）info crypt，并采用相同的参数$n$[rounds=<m>$]salt，其中 n 是散列函数（SHA-512 为 6 美元），m 是密钥强化轮数（默认为 5000）。

The sha1function in puppet is not directly intended for passwd entries, as you figured out. I'd say setting the hash rather than the password is good practice! You are not really supposed to be able to recover a password anyway - you can generate it once, or you can have puppet generate it every time - generating that hash once should be enough IMHO... You can generate a password on Debian/Ubuntu like this:

sha1正如您所发现的，puppet 中的函数并不直接用于 passwd 条目。我会说设置散列而不是密码是一种很好的做法！无论如何你都不应该能够恢复密码 - 你可以生成一次，或者你可以让 puppet 每次生成它 - 生成一次哈希应该足够恕我直言......你可以在 Debian/Ubuntu 上生成密码像这样：

pwgen -s -1 | mkpasswd -m sha-512 -s

...on CentOS you can use some grub-crypt command instead of mkpasswd...

...在 CentOS 上，您可以使用一些 grub-crypt 命令代替 mkpasswd ...

Linux users have their passwords stored as hash in /etc/shadow file. Puppet passes the password supplied in the user type definition in the /etc/shadow file.

Linux 用户的密码以散列形式存储在 /etc/shadow 文件中。Puppet 传递 /etc/shadow 文件中用户类型定义中提供的密码。

Generate your hash password using openssl command:

使用 openssl 命令生成您的哈希密码：

 #openssl passwd -1  
 #Enter your password here 
 Password: 
 Verifying - Password: 
 $HTQUGYUGYUGwsxQxCp3F/nGc4DCYM

The previous example generate this hash: $1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM/

前面的例子生成这个哈希：$1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM/

Add this hash password to your class as shown (do not forget the quotes)

如图所示将此哈希密码添加到您的课程中（不要忘记引号）

user { 'test_user': 
  ensure   => present,
  password => '$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM/',
}

You can use the generatefunction to let Puppet create the hash for you:

您可以使用该generate函数让 Puppet 为您创建哈希：

$password = 'hello'

user { 'test_user':
    ensure   => 'present',
    password => generate('/bin/sh', '-c', "mkpasswd -m sha-512 ${password} | tr -d '\n'"),
}

In my Vagrantfile, I did this:

在我的 Vagrantfile 中，我这样做了：

$newuserid = ENV["USERNAME"]

config.vm.provision :puppet do |puppet|
    puppet.module_path    = "modules"
    puppet.manifests_path = "manifests"
    puppet.manifest_file  = "main.pp"
    puppet.facter         = {"newuserid" => $newuserid}
    puppet.options        = "--verbose"    
end

And in my main.pp file:

在我的 main.pp 文件中：

user { $newuserid :
  ensure  => present,
  home    => "/home/${newuserid}",
  managehome => true,
  gid => "mygid",
}

exec { 'set password':
  command => "/bin/echo \"${newuserid}:${newuserid}\" | /usr/sbin/chpasswd",
  require => User [ $newuserid ],
}

Puppet: user with a SHA 512 hashed password

Puppet：具有 SHA 512 散列密码的用户

I came up with a method that doesn't need anything to add if you have python 2.6. I tested this on puppet 3.6.2on CentOS 6.4:

如果你有 python 2.6，我想出了一个不需要添加任何东西的方法。我对此进行puppet 3.6.2了测试CentOS 6.4：

$pass="password"
$shatag="$6$"
$cmd="import crypt, base64, os, sys; sys.stdout.write(crypt.crypt('$pass', '$shatag' + base64.b64encode(os.urandom(16))[:8]))"
user { 'boop':
  ensure   => present,
  password => generate ("/usr/bin/python", "-c", $cmd),
}

Explanations

说明

1. the sha tag is here to specify to cryptthe hash method we want: 6 is the type of hash for SHA-512

   • $1$ -> MD5
   • $2a$ -> Blowfish (not in mainline glibc; added in some Linux distributions)
   • $5$ -> SHA-256 (since glibc 2.7)
   • $6$ -> SHA-512 (since glibc 2.7)

1. sha 标签在这里指定crypt我们想要的散列方法：6 是 SHA-512 的散列类型

   • $1$ -> MD5
   • $2a$ -> Blowfish（不在主线 glibc 中；在一些 Linux 发行版中添加）
   • $5$ -> SHA-256（自 glibc 2.7 起）
   • $6$ -> SHA-512（自 glibc 2.7 起）

thx daveyand wiki_crypt

THX戴维和wiki_crypt

1. sys.stdout.write is hereto avoid '\n'of print

2. base64.b64encode(os.urandom(16))[:8]):

   • os.urandom(16)create a 16 bits long binary string
   • base64.b64encodeencode this string in base64
   • [:8]take the first 8 characters of this string (as base64 encoding length may vary)

3. generateis a puppet function that create text when on the puppet master. You can't use this function like you want because it is 'protected' ê.é(last postsuggest a workaround to this protection-or-whatever)

2. sys.stdout.write is here避免'\n'的print

3. base64.b64encode(os.urandom(16))[:8])：

   • os.urandom(16)创建一个 16 位长的二进制字符串
   • base64.b64encode将此字符串编码为 base64
   • [:8]取这个字符串的前 8 个字符（因为 base64 编码长度可能会有所不同）

4. generate是一个木偶功能，在木偶大师上创建文本。像你想，因为它是“保护”你不能使用此功能E.E（最后一篇建议的解决方法，这种保护有或任何）

hth

第

The stdlib package of puppetlabs implements a similar pw_hashfunction of the accepted answer.

puppetlabs 的 stdlib 包实现了与pw_hash已接受答案类似的功能。

Be sure to add the library to your configuration. If you use librarian, just add in your Puppetfile

请务必将库添加到您的配置中。如果您使用图书管理员，只需添加您的Puppetfile

mod 'puppetlabs-stdlib'

Then to create an user, simply :

然后创建一个用户，只需：

user { 'user':
  ensure => present,
  password => pw_hash('password', 'SHA-512', 'mysalt'),
}

just generate encrypted password from grub-crypt --sha-512 and paste

只需从 grub-crypt --sha-512 生成加密密码并粘贴